Mailinglist Archive: opensuse-security (196 mails)

< Previous Next >
Re: [suse-security] limiting sftp users to specific dir
  • From: - Edwin - <copperwa11s@xxxxxxxxxxx>
  • Date: Sun, 24 Oct 2004 01:47:43 +0900
  • Message-id: <20041024014743.28babd61@xxxxxxxxxxxxxxxxxx>
Hello!

On Thu, 21 Oct 2004 18:09:23 +0300
Hugo <hg.list@xxxxxxxxx> wrote:

> Hello!
>
> I finally changed my servers from Windows to Linux (SuSE
> 9.1). In windows I used to have F-Secure SSH-server
> (student licence) and I had set it up so that I could
> access via SFTP all the system (I also had SSH access), but
> others only their own directory. And what more, the SFTP
> directories were defined as d:\sftp\%username%. Very clean
> system with no problems for the users.
>
> Bear with me as I probably do not know how to ask this in a
> simple way and I do not know the right terms... I'll try to
> explain what I would like to do (almost the same as in
> Windows):
>
> With SuSE I had SSH server up and running very fast. So now
> I have different types of users:
> 1) Me: local user, remote with SSH and X + SCP/SFTP
> (unlimited) 2) Family: local users, remote with SFTP
> limited to users home dir (or some empty dir under it)
> 3) Remote family: only remote SFTP limited to some empty
> dir somewhere(not necessarily under home dir)
>
> The current situation with SuSE defaults is that if I
> create a user and use WinSCP to access the server with that
> user, they can see just about every file there including
> other users home dirs. Not good.

I think the problem stems from the fact that when you add a
new user using YaST (using all default settings), the default
group would be "users" and the permissions on the home
directory would be something like this:

drwxr-xr-x

So, yes, this is *not* good since the group "other" will have
read + execute permissions on one's home directory. Also,
depending on your needs, putting everyone in the same group
(e.g. "users") can be considered "not good" as well. And this
is why "other users" can see other users' home directories.

> (I thought be default Linux was more secure...)

Well, maybe this is true for the "Personal" or "Professional"
versions of *SUSE* Linux ;) (Not sure about the server
version since I haven't tried it.)

Apparently there's a problem, IMHO, with the current
implementation in YaST when adding users using the default
settings. Anyway, I'm sure not all linux distros behave the
same way. Besides, there's a "fix" for that default behavior
of YaST -- see below.

> Also, just the complexity of all
> the stuff that is in the users home dir would confuse many
> users. They just need to see one empty dir where to
> transfer files from and to. For those that log in locally,
> this dir should be under the home dir, like Documents. And
> the 3rd type of users should only have access to one dir
> that is completely empty except for their own files.
>
> First question: Can this be done? (Please don't tell me I
> have to go back to windows server... )
> Second: how?

Somebody already mentioned about "chrooting" or "scponly" so
let me just mention a completely different approach.

First, when adding users, try the "old" way, something like:

1. groupadd newgroup
2. useradd newuser -g newgroup
3. passwd newuser
4. mkdir /home/newuser
5. chown -R newuser:newgroup /home/newuser
6. chmod 700 /home/newuser

Now, for the remote (secure) file transfers try this setting:

Apache+SSL+WebDAV+acl

One advantage here is that, most likely, they are already
installed in your linux box. Just edit the conf files, setup
permissions (acl), start Apache and everything's done :)

Besides, if those who need to transfer files remotely are
using Windows, they just need to "Add a Network Place" and no
need to install additional programs.

> Sorry for not being more exact in defining the problem.
> Hopefully you got the idea. I'm not new to computers and
> I'm quite happy to edit config files... except that this
> time I didn't find what to edit(sshd_conf doesn't seem to
> have options for limiting users like this).

PS.

BTW, just a side note, if you're really concerned about
security, perhaps you should try the server version and use
SELinux. Or, check some other linux distros that are
specifically made for servers.

Or, try a BSD flavor of Unix, OpenBSD or NetBSD, anyone? :)

But of course, even SUSE Personal can be "hardened" -- it
just need a bit more work ;)

--
- E - on SUSE 9.1 | blackbox 0.65 | copperwalls was here ;)
"The righteous themselves will possess the earth,
And they will reside forever upon it." - Psalms 37:29

< Previous Next >
Follow Ups
References